You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
253 lines
8.1 KiB
253 lines
8.1 KiB
From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001 |
|
From: Ondrej Mosnacek <omosnace@redhat.com> |
|
Date: Tue, 26 Oct 2021 13:52:39 +0200 |
|
Subject: [PATCH] setfiles/restorecon: support parallel relabeling |
|
|
|
Use the newly introduced selinux_restorecon_parallel(3) in |
|
setfiles/restorecon and a -T option to both to allow enabling parallel |
|
relabeling. The default behavior without specifying the -T option is to |
|
use 1 thread; parallel relabeling must be requested explicitly by |
|
passing -T 0 (which will use as many threads as there are available CPU |
|
cores) or -T <N>, which will use <N> threads. |
|
|
|
=== Benchmarks === |
|
As measured on a 32-core cloud VM with Fedora 34. Not a fully |
|
representative environment, but still the scaling is quite good. |
|
|
|
WITHOUT PATCHES: |
|
$ time restorecon -rn /usr |
|
|
|
real 0m21.689s |
|
user 0m21.070s |
|
sys 0m0.494s |
|
|
|
WITH PATCHES: |
|
$ time restorecon -rn /usr |
|
|
|
real 0m23.940s |
|
user 0m23.127s |
|
sys 0m0.653s |
|
$ time restorecon -rn -T 2 /usr |
|
|
|
real 0m13.145s |
|
user 0m25.306s |
|
sys 0m0.695s |
|
$ time restorecon -rn -T 4 /usr |
|
|
|
real 0m7.559s |
|
user 0m28.470s |
|
sys 0m1.099s |
|
$ time restorecon -rn -T 8 /usr |
|
|
|
real 0m5.186s |
|
user 0m37.450s |
|
sys 0m2.094s |
|
$ time restorecon -rn -T 16 /usr |
|
|
|
real 0m3.831s |
|
user 0m51.220s |
|
sys 0m4.895s |
|
$ time restorecon -rn -T 32 /usr |
|
|
|
real 0m2.650s |
|
user 1m5.136s |
|
sys 0m6.614s |
|
|
|
Note that the benchmarks were performed in read-only mode (-n), so the |
|
labels were only read and looked up in the database, not written. When |
|
fixing labels on a heavily mislabeled system, the scaling would likely |
|
be event better, since a larger % of work could be done in parallel. |
|
|
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
|
--- |
|
policycoreutils/setfiles/Makefile | 2 +- |
|
policycoreutils/setfiles/restore.c | 7 ++++--- |
|
policycoreutils/setfiles/restore.h | 2 +- |
|
policycoreutils/setfiles/restorecon.8 | 9 +++++++++ |
|
policycoreutils/setfiles/setfiles.8 | 9 +++++++++ |
|
policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++----------- |
|
6 files changed, 41 insertions(+), 16 deletions(-) |
|
|
|
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile |
|
index 63d818509791..d7670a8ff54b 100644 |
|
--- a/policycoreutils/setfiles/Makefile |
|
+++ b/policycoreutils/setfiles/Makefile |
|
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man |
|
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) |
|
|
|
CFLAGS ?= -g -Werror -Wall -W |
|
-override LDLIBS += -lselinux -lsepol |
|
+override LDLIBS += -lselinux -lsepol -lpthread |
|
|
|
ifeq ($(AUDITH), y) |
|
override CFLAGS += -DUSE_AUDIT |
|
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c |
|
index 9d688c609f79..74d48bb3752d 100644 |
|
--- a/policycoreutils/setfiles/restore.c |
|
+++ b/policycoreutils/setfiles/restore.c |
|
@@ -72,7 +72,7 @@ void restore_finish(void) |
|
} |
|
} |
|
|
|
-int process_glob(char *name, struct restore_opts *opts) |
|
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads) |
|
{ |
|
glob_t globbuf; |
|
size_t i = 0; |
|
@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts) |
|
continue; |
|
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) |
|
continue; |
|
- rc = selinux_restorecon(globbuf.gl_pathv[i], |
|
- opts->restorecon_flags); |
|
+ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i], |
|
+ opts->restorecon_flags, |
|
+ nthreads); |
|
if (rc < 0) |
|
errors = rc; |
|
} |
|
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h |
|
index ac6ad6809f4f..bb35a1db9e34 100644 |
|
--- a/policycoreutils/setfiles/restore.h |
|
+++ b/policycoreutils/setfiles/restore.h |
|
@@ -49,7 +49,7 @@ struct restore_opts { |
|
void restore_init(struct restore_opts *opts); |
|
void restore_finish(void); |
|
void add_exclude(const char *directory); |
|
-int process_glob(char *name, struct restore_opts *opts); |
|
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads); |
|
extern char **exclude_list; |
|
|
|
#endif |
|
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 |
|
index a8900f02b3f3..dbd55ce7c512 100644 |
|
--- a/policycoreutils/setfiles/restorecon.8 |
|
+++ b/policycoreutils/setfiles/restorecon.8 |
|
@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts. |
|
.RB [ \-W ] |
|
.RB [ \-I | \-D ] |
|
.RB [ \-x ] |
|
+.RB [ \-T |
|
+.IR nthreads ] |
|
|
|
.SH "DESCRIPTION" |
|
This manual page describes the |
|
@@ -160,6 +162,13 @@ prevent |
|
.B restorecon |
|
from crossing file system boundaries. |
|
.TP |
|
+.BI \-T \ nthreads |
|
+use up to |
|
+.I nthreads |
|
+threads. Specify 0 to create as many threads as there are available |
|
+CPU cores; 1 to use only a single thread (default); or any positive |
|
+number to use the given number of threads (if possible). |
|
+.TP |
|
.SH "ARGUMENTS" |
|
.IR pathname \ ... |
|
The pathname for the file(s) to be relabeled. |
|
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 |
|
index 0692121f2f4d..8ef9f602e843 100644 |
|
--- a/policycoreutils/setfiles/setfiles.8 |
|
+++ b/policycoreutils/setfiles/setfiles.8 |
|
@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts. |
|
.RB [ \-W ] |
|
.RB [ \-F ] |
|
.RB [ \-I | \-D ] |
|
+.RB [ \-T |
|
+.IR nthreads ] |
|
.I spec_file |
|
.IR pathname \ ... |
|
|
|
@@ -161,6 +163,13 @@ quote marks or backslashes. The |
|
option of GNU |
|
.B find |
|
produces input suitable for this mode. |
|
+.TP |
|
+.BI \-T \ nthreads |
|
+use up to |
|
+.I nthreads |
|
+threads. Specify 0 to create as many threads as there are available |
|
+CPU cores; 1 to use only a single thread (default); or any positive |
|
+number to use the given number of threads (if possible). |
|
|
|
.SH "ARGUMENTS" |
|
.TP |
|
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c |
|
index f018d161aa9e..2313a21fa0f3 100644 |
|
--- a/policycoreutils/setfiles/setfiles.c |
|
+++ b/policycoreutils/setfiles/setfiles.c |
|
@@ -1,4 +1,5 @@ |
|
#include "restore.h" |
|
+#include <stdlib.h> |
|
#include <unistd.h> |
|
#include <fcntl.h> |
|
#include <stdio_ext.h> |
|
@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name) |
|
{ |
|
if (iamrestorecon) { |
|
fprintf(stderr, |
|
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" |
|
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", |
|
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n" |
|
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n", |
|
name, name); |
|
} else { |
|
fprintf(stderr, |
|
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" |
|
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" |
|
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n", |
|
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" |
|
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" |
|
+ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n", |
|
name, name, name); |
|
} |
|
exit(-1); |
|
@@ -144,12 +145,12 @@ int main(int argc, char **argv) |
|
int opt, i = 0; |
|
const char *input_filename = NULL; |
|
int use_input_file = 0; |
|
- char *buf = NULL; |
|
- size_t buf_len; |
|
+ char *buf = NULL, *endptr; |
|
+ size_t buf_len, nthreads = 1; |
|
const char *base; |
|
int errors = 0; |
|
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x"; |
|
- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0"; |
|
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:"; |
|
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:"; |
|
const char *opts; |
|
union selinux_callback cb; |
|
|
|
@@ -370,6 +371,11 @@ int main(int argc, char **argv) |
|
usage(argv[0]); |
|
} |
|
break; |
|
+ case 'T': |
|
+ nthreads = strtoull(optarg, &endptr, 10); |
|
+ if (*optarg == '\0' || *endptr != '\0') |
|
+ usage(argv[0]); |
|
+ break; |
|
case 'h': |
|
case '?': |
|
usage(argv[0]); |
|
@@ -448,13 +454,13 @@ int main(int argc, char **argv) |
|
buf[len - 1] = 0; |
|
if (!strcmp(buf, "/")) |
|
r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL; |
|
- errors |= process_glob(buf, &r_opts) < 0; |
|
+ errors |= process_glob(buf, &r_opts, nthreads) < 0; |
|
} |
|
if (strcmp(input_filename, "-") != 0) |
|
fclose(f); |
|
} else { |
|
for (i = optind; i < argc; i++) |
|
- errors |= process_glob(argv[i], &r_opts) < 0; |
|
+ errors |= process_glob(argv[i], &r_opts, nthreads) < 0; |
|
} |
|
|
|
maybe_audit_mass_relabel(r_opts.mass_relabel, errors); |
|
-- |
|
2.33.1 |
|
|
|
|